SaTC: CORE: Small: A Transparent and Customizable Android Container-Based Virtualization Architecture for Dynamic Malware Analysis

SaTC：CORE：Small：用于动态恶意软件分析的透明且可定制的基于 Android 容器的虚拟化架构

• 批准号: 2128703
• 负责人: Jiang Ming
• 金额: $ 50万
• 依托单位: University of Texas at Arlington
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2023-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2128703&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Transparent; Customizable

With the success of Android mobile device markets, Android malicious software (malware) threatens billions of smartphone users. Driven by financial profit, malware authors are highly motivated to evade detection and to challenge forensics procedures. In the malware detection/evasion arms race, defenders apply analysis techniques that require a highly controlled environment to collect data about malware actions and gain insights into their intents, while still preventing malware from discovering that it is operating in an analysis environment. The project introduces a novel and customizable malware analysis environment capable of handling evasive Android malware. The software artifacts generated and made publicly available to the open-source community have the potential to revolutionize the way analysts perform forensics tasks, thus protecting smartphone users and their Android devices against cyber-attacks. Furthermore, this project, performed in a Hispanic-serving institution, involves recruitment of students from under-represented groups in computing. This project innovatively applies container-based virtualization to address the long-standing challenge of efficiently analyzing evasive malware. Current Android malware dynamic analysis platforms (i.e., Android emulators and bare-metal machines) have limitations. Powered by the transparent and customizable virtual environment, this out-of-the-box malware analysis approach overcomes existing analysis techniques' limitations and amplifies their benefits. This analysis environment is more resilient against evasive malware than standard Android emulators. Furthermore, the environment is stealthier and provides better flexibility and productivity for analysis than bare-metal machines. The novel Android container architecture has cross-disciplinary contributions: it improves resource utilization, reduces hardware costs, thus advancing automated malware analysis and streamlining the tasks of malware analysts. Moreover, other researchers can develop new techniques to boost more powerful malware analysis methods, such as behavior-based malware clustering and evasive malware detection. The success of this research potentially revolutionizes dynamic malware analysis methods and tips the balance of the malware war toward the defender.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着Android移动设备市场的成功，Android恶意软件(Malware)威胁着数十亿智能手机用户。在经济利润的驱动下，恶意软件作者强烈地逃避检测并挑战取证程序。在恶意软件检测/规避军备竞赛中，防御者应用分析技术，这些技术需要高度受控的环境来收集有关恶意软件操作的数据并洞察其意图，同时仍可防止恶意软件发现它在分析环境中运行。该项目引入了一个新颖的、可定制的恶意软件分析环境，能够处理规避的Android恶意软件。生成并向开源社区公开提供的软件制品有可能彻底改变分析师执行取证任务的方式，从而保护智能手机用户及其Android设备免受网络攻击。此外，这个项目是在一家西班牙裔服务机构进行的，涉及从计算机行业代表性不足的群体中招募学生。该项目创新性地应用了基于容器的虚拟化来解决高效分析规避恶意软件这一长期存在的挑战。目前的Android恶意软件动态分析平台(即Android模拟器和裸机)存在局限性。在透明和可定制的虚拟环境的支持下，这种开箱即用的恶意软件分析方法克服了现有分析技术的局限性，并放大了它们的好处。与标准的Android仿真器相比，这种分析环境对躲避恶意软件的恢复能力更强。此外，与裸机相比，该环境更隐蔽，提供了更好的灵活性和分析效率。新的Android容器架构具有跨学科的贡献：它提高了资源利用率，降低了硬件成本，从而推进了自动恶意软件分析，并简化了恶意软件分析师的任务。此外，其他研究人员可以开发新的技术来促进更强大的恶意软件分析方法，如基于行为的恶意软件集群和规避恶意软件检测。这项研究的成功可能会使动态恶意软件分析方法发生革命性的变化，并将恶意软件战争的天平向防御者倾斜。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Chosen-Instruction Attack Against Commercial Code Virtualization Obfuscators

• DOI: 10.14722/ndss.2022.24015
• 发表时间: 2022
• 期刊: Proceedings 2022 Network and Distributed System Security Symposium
• 作者: Shijia Li;Chunfu Jia;Pengda Qiu;Qiyuan Chen;Jiang Ming;Debin Gao

PolyCruise: A Cross-Language Dynamic Information Flow Analysis

PolyCruise：跨语言动态信息流分析

• 发表时间: 2022
• 期刊: Proceedings of the 31st USENIX Security Symposium
• 作者: Wen Li, Jiang Ming

One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared libraries

• DOI: 10.1145/3503222.3507768
• 发表时间: 2022-02
• 期刊: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
• 作者: Haotian Zhang;Mengfei Ren;Yu Lei;Jiang Ming

Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based Virtualization

• DOI: 10.1145/3460120.3484544
• 发表时间: 2021-11
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Wenna Song;Jiang Ming;Lin Jiang;Yi Xiang;Xuanchen Pan;Jianming Fu;Guojun Peng

Intelligent Zigbee Protocol Fuzzing via Constraint-Field Dependency Inference

通过约束场依赖推理进行智能 Zigbee 协议模糊测试

• 发表时间: 2023
• 期刊: In Proceedings of the 28th European Symposium on Research in Computer Security
• 作者: Mengfei Ren;Haotian Zhang;Xiaolei Ren;Jiang Ming;Yu Lei
• 通讯作者: Yu Lei